[selinux-policy/f13/master] - Allow mysqld-safe to send system log messages - Add dirsrv and dirsrv-admin policy - Allow nagios
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Nov 15 17:38:32 UTC 2010
commit b707bc7be7a5d2e62f742df49c61391fef149b00
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Nov 15 18:38:26 2010 +0100
- Allow mysqld-safe to send system log messages
- Add dirsrv and dirsrv-admin policy
- Allow nagios plugins to read usr files
modules-targeted.conf | 14 +
policy-F13.patch | 662 ++++++++++++++++++++++++++++++++++++++++++++++++-
selinux-policy.spec | 8 +-
3 files changed, 674 insertions(+), 10 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index f17558d..4f68a1a 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -195,6 +195,20 @@ bind = module
bugzilla = module
# Layer: services
+# Module: dirsrv
+#
+# An 309 directory server
+#
+dirsrv = module
+
+# Layer: services
+# Module: dirsrv-admin
+#
+# An 309 directory admin server
+#
+dirsrv-admin = module
+
+# Layer: services
# Module: dnsmasq
#
# A lightweight DHCP and caching DNS server.
diff --git a/policy-F13.patch b/policy-F13.patch
index 558a15e..b777f7c 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -21329,6 +21329,613 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
dbus_system_bus_client(dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.fc serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.fc
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.fc 2010-11-15 14:19:02.503399070 +0100
+@@ -0,0 +1,11 @@
++/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
++
++/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
++
++/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.if serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.if
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.if 2010-11-15 14:19:02.504398934 +0100
+@@ -0,0 +1,95 @@
++## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
++
++########################################
++## <summary>
++## Exec dirsrv-admin programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_run_exec',`
++ gen_require(`
++ type dirsrvadmin_exec_t;
++ ')
++
++ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
++ can_exec($1, dirsrvadmin_exec_t)
++')
++
++########################################
++## <summary>
++## Exec cgi programs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_run_httpd_script_exec',`
++ gen_require(`
++ type httpd_dirsrvadmin_script_exec_t;
++ ')
++
++ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
++ can_exec($1, httpd_dirsrvadmin_script_exec_t)
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_read_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_manage_config',`
++ gen_require(`
++ type dirsrvadmin_config_t;
++ ')
++
++ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
++ allow $1 dirsrvadmin_config_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Manage dirsrv-adminserver tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrvadmin_manage_tmp',`
++ gen_require(`
++ type dirsrvadmin_tmp_t;
++ ')
++
++ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv-admin.te serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.te
+--- nsaserefpolicy/policy/modules/services/dirsrv-admin.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv-admin.te 2010-11-15 14:19:02.523147846 +0100
+@@ -0,0 +1,92 @@
++policy_module(dirsrv-admin,1.0.0)
++
++########################################
++#
++# Declarations for the daemon
++#
++
++type dirsrvadmin_t;
++type dirsrvadmin_exec_t;
++init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
++role system_r types dirsrvadmin_t;
++
++type dirsrvadmin_config_t;
++files_type(dirsrvadmin_config_t)
++
++type dirsrvadmin_tmp_t;
++files_tmp_file(dirsrvadmin_tmp_t)
++
++########################################
++#
++# Local policy for the daemon
++#
++allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
++allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
++
++manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrvadmin_t)
++
++corecmd_exec_bin(dirsrvadmin_t)
++corecmd_read_bin_symlinks(dirsrvadmin_t)
++corecmd_search_bin(dirsrvadmin_t)
++corecmd_shell_entry_type(dirsrvadmin_t)
++
++files_exec_etc_files(dirsrvadmin_t)
++
++logging_search_logs(dirsrvadmin_t)
++
++miscfiles_read_localization(dirsrvadmin_t)
++
++# Needed for stop and restart scripts
++dirsrv_read_var_run(dirsrvadmin_t)
++
++apache_domtrans(dirsrvadmin_t)
++apache_signal(dirsrvadmin_t)
++
++########################################
++#
++# Local policy for the CGIs
++#
++#
++#
++# Create a domain for the CGI scripts
++apache_content_template(dirsrvadmin)
++
++allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
++allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
++allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
++allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
++allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
++allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
++
++kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
++
++corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
++corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
++
++files_search_var_lib(httpd_dirsrvadmin_script_t)
++
++sysnet_read_config(httpd_dirsrvadmin_script_t)
++
++manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
++files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
++
++# The CGI scripts must be able to manage dirsrv-admin
++dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
++dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
++dirsrv_domtrans(httpd_dirsrvadmin_script_t)
++dirsrv_signal(httpd_dirsrvadmin_script_t)
++dirsrv_signull(httpd_dirsrvadmin_script_t)
++dirsrv_manage_log(httpd_dirsrvadmin_script_t)
++dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
++dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
++dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
++dirsrv_manage_config(httpd_dirsrvadmin_script_t)
++dirsrv_read_share(httpd_dirsrvadmin_script_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.fc serefpolicy-3.7.19/policy/modules/services/dirsrv.fc
+--- nsaserefpolicy/policy/modules/services/dirsrv.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.fc 2010-11-15 14:19:02.524147919 +0100
+@@ -0,0 +1,20 @@
++/etc/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0)
++
++/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
++/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
++/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
++
++/usr/share/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0)
++
++/var/run/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0)
++/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
++
++/var/lib/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
++
++/var/lock/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
++
++/var/log/dirsrv(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0)
++
++/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.if serefpolicy-3.7.19/policy/modules/services/dirsrv.if
+--- nsaserefpolicy/policy/modules/services/dirsrv.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.if 2010-11-15 14:19:02.524147919 +0100
+@@ -0,0 +1,193 @@
++## <summary>policy for dirsrv</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dirsrv_domtrans',`
++ gen_require(`
++ type dirsrv_t, dirsrv_exec_t;
++ ')
++
++ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit dirsrv_t $1:socket_class_set { read write };
++ ')
++')
++
++
++########################################
++## <summary>
++## Allow caller to signal dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_signal',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signal;
++')
++
++
++########################################
++## <summary>
++## Send a null signal to dirsrv.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_signull',`
++ gen_require(`
++ type dirsrv_t;
++ ')
++
++ allow $1 dirsrv_t:process signull;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_log',`
++ gen_require(`
++ type dirsrv_var_log_t;
++ ')
++
++ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_log_t:file manage_file_perms;
++ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_var_lib',`
++ gen_require(`
++ type dirsrv_var_lib_t;
++ ')
++ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_lib_t:file manage_file_perms;
++')
++
++#######################################
++## <summary>
++## Allow a domain to manage dirsrv /var/run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
++ allow $1 dirsrv_var_run_t:file manage_file_perms;
++ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
++')
++
++######################################
++## <summary>
++## Allow a domain to create dirsrv pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_pid_filetrans',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ # Allow creating a dir in /var/run with this type
++ files_pid_filetrans($1, dirsrv_var_run_t, dir)
++')
++
++#######################################
++## <summary>
++## Allow a domain to read dirsrv /var/run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_read_var_run',`
++ gen_require(`
++ type dirsrv_var_run_t;
++ ')
++ allow $1 dirsrv_var_run_t:dir list_dir_perms;
++ allow $1 dirsrv_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Manage dirsrv configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_manage_config',`
++ gen_require(`
++ type dirsrv_config_t;
++ ')
++
++ allow $1 dirsrv_config_t:dir manage_dir_perms;
++ allow $1 dirsrv_config_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++## Read dirsrv share files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_read_share',`
++ gen_require(`
++ type dirsrv_share_t;
++ ')
++
++ allow $1 dirsrv_share_t:dir list_dir_perms;
++ allow $1 dirsrv_share_t:file read_file_perms;
++ allow $1 dirsrv_share_t:lnk_file read;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dirsrv.te serefpolicy-3.7.19/policy/modules/services/dirsrv.te
+--- nsaserefpolicy/policy/modules/services/dirsrv.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.7.19/policy/modules/services/dirsrv.te 2010-11-15 14:19:02.524147919 +0100
+@@ -0,0 +1,172 @@
++policy_module(dirsrv,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++# main daemon
++type dirsrv_t;
++type dirsrv_exec_t;
++domain_type(dirsrv_t)
++init_daemon_domain(dirsrv_t, dirsrv_exec_t)
++
++type dirsrv_snmp_t;
++type dirsrv_snmp_exec_t;
++domain_type(dirsrv_snmp_t)
++init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
++
++type dirsrv_var_lib_t;
++files_type(dirsrv_var_lib_t)
++
++type dirsrv_var_log_t;
++logging_log_file(dirsrv_var_log_t)
++
++type dirsrv_snmp_var_log_t;
++logging_log_file(dirsrv_snmp_var_log_t)
++
++type dirsrv_var_run_t;
++files_pid_file(dirsrv_var_run_t)
++
++type dirsrv_snmp_var_run_t;
++files_pid_file(dirsrv_snmp_var_run_t)
++
++type dirsrv_var_lock_t;
++files_lock_file(dirsrv_var_lock_t)
++
++type dirsrv_config_t;
++files_type(dirsrv_config_t)
++
++type dirsrv_tmp_t;
++files_tmp_file(dirsrv_tmp_t)
++
++type dirsrv_tmpfs_t;
++files_tmpfs_file(dirsrv_tmpfs_t)
++
++type dirsrv_share_t;
++files_type(dirsrv_share_t);
++
++########################################
++#
++# dirsrv local policy
++#
++allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
++allow dirsrv_t self:fifo_file rw_fifo_file_perms;
++allow dirsrv_t self:sem create_sem_perms;
++allow dirsrv_t self:tcp_socket create_stream_socket_perms;
++
++manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
++files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
++allow dirsrv_t dirsrv_var_log_t:dir { setattr };
++logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
++
++manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })
++
++manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
++files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
++
++manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
++files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
++
++kernel_read_system_state(dirsrv_t)
++
++corecmd_search_sbin(dirsrv_t)
++
++corenet_all_recvfrom_unlabeled(dirsrv_t)
++corenet_all_recvfrom_netlabel(dirsrv_t)
++corenet_tcp_sendrecv_generic_if(dirsrv_t)
++corenet_tcp_sendrecv_generic_node(dirsrv_t)
++corenet_tcp_sendrecv_all_ports(dirsrv_t)
++corenet_tcp_bind_all_nodes(dirsrv_t)
++corenet_tcp_bind_ldap_port(dirsrv_t)
++corenet_tcp_bind_all_rpc_ports(dirsrv_t)
++corenet_udp_bind_all_rpc_ports(dirsrv_t)
++corenet_tcp_connect_all_ports(dirsrv_t)
++corenet_sendrecv_ldap_server_packets(dirsrv_t)
++corenet_sendrecv_all_client_packets(dirsrv_t)
++
++dev_read_urand(dirsrv_t)
++
++files_read_etc_files(dirsrv_t)
++files_read_usr_symlinks(dirsrv_t)
++
++fs_getattr_all_fs(dirsrv_t)
++
++miscfiles_read_localization(dirsrv_t)
++
++sysnet_dns_name_resolve(dirsrv_t)
++
++optional_policy(`
++ apache_dontaudit_leaks(dirsrv_t)
++')
++
++optional_policy(`
++ kerberos_read_config(dirsrv_t)
++ kerberos_dontaudit_write_config(dirsrv_t)
++')
++
++########################################
++#
++# dirsrv-snmp local policy
++#
++allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
++
++rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
++files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
++search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
++
++manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
++filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
++
++corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
++
++dev_read_rand(dirsrv_snmp_t)
++dev_read_urand(dirsrv_snmp_t)
++
++domain_use_interactive_fds(dirsrv_snmp_t)
++
++#files_manage_var_files(dirsrv_snmp_t)
++files_read_etc_files(dirsrv_snmp_t)
++files_read_usr_files(dirsrv_snmp_t)
++
++fs_getattr_tmpfs(dirsrv_snmp_t)
++fs_search_tmpfs(dirsrv_snmp_t)
++
++miscfiles_read_localization(dirsrv_snmp_t)
++
++sysnet_read_config(dirsrv_snmp_t)
++sysnet_dns_name_resolve(dirsrv_snmp_t)
++
++optional_policy(`
++ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_append_snmp_var_lib_files(dirsrv_snmp_t)
++ snmp_stream_connect(dirsrv_snmp_t)
++')
++
++optional_policy(`
++ rpcbind_stream_connect(initrc_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.19/policy/modules/services/djbdns.if
--- nsaserefpolicy/policy/modules/services/djbdns.if 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/djbdns.if 2010-05-28 09:42:00.101610733 +0200
@@ -25552,7 +26159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.19/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-06-21 15:32:41.673073820 +0200
++++ serefpolicy-3.7.19/policy/modules/services/mysql.te 2010-11-15 10:41:35.381147405 +0100
@@ -65,6 +65,7 @@
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -25577,6 +26184,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysq
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+@@ -184,6 +187,8 @@
+
+ hostname_exec(mysqld_safe_t)
+
++logging_send_syslog_msg(mysqld_safe_t)
++
+ miscfiles_read_localization(mysqld_safe_t)
+
+ mysql_manage_db_files(mysqld_safe_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.19/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-04-13 20:44:37.000000000 +0200
+++ serefpolicy-3.7.19/policy/modules/services/nagios.fc 2010-05-28 09:42:00.131610831 +0200
@@ -25677,7 +26293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.19/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-09-23 15:05:10.602684332 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nagios.if 2010-11-15 15:07:11.971147348 +0100
@@ -64,8 +64,8 @@
########################################
@@ -25706,7 +26322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
')
########################################
-@@ -99,3 +100,155 @@
+@@ -99,3 +100,157 @@
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
')
@@ -25808,6 +26424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+ dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
+ dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
+
++ files_read_usr_files(nagios_$1_plugin_t)
++
+ miscfiles_read_localization(nagios_$1_plugin_t)
+')
+
@@ -34050,7 +34668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.7.19/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-10-05 16:29:21.802651275 +0200
++++ serefpolicy-3.7.19/policy/modules/services/smartmon.te 2010-11-15 14:09:31.283147945 +0100
@@ -73,6 +73,7 @@
files_read_etc_runtime_files(fsdaemon_t)
# for config
@@ -34059,12 +34677,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
-@@ -83,6 +84,8 @@
+@@ -83,6 +84,9 @@
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
+storage_read_scsi_generic(fsdaemon_t)
+storage_write_scsi_generic(fsdaemon_t)
++storage_create_fixed_disk_dev(fsdaemon_t)
term_dontaudit_search_ptys(fsdaemon_t)
@@ -34097,8 +34716,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smok
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.19/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-09-16 16:46:09.199637062 +0200
-@@ -62,6 +62,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/snmp.if 2010-11-15 17:53:35.780147148 +0100
+@@ -62,11 +62,32 @@
type snmpd_var_lib_t;
')
@@ -34106,7 +34725,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
allow $1 snmpd_var_lib_t:dir list_dir_perms;
read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-@@ -83,7 +84,7 @@
+ ')
+
++#######################################
++## <summary>
++## Append snmpd libraries.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`snmp_append_snmp_var_lib_files',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 snmpd_var_lib_t:dir list_dir_perms;
++ append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
++')
++
+ ########################################
+ ## <summary>
+ ## dontaudit Read snmpd libraries.
+@@ -83,7 +104,7 @@
')
dontaudit $1 snmpd_var_lib_t:dir list_dir_perms;
dontaudit $1 snmpd_var_lib_t:file read_file_perms;
@@ -34115,7 +34759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
')
########################################
-@@ -128,7 +129,7 @@
+@@ -128,7 +149,7 @@
type snmpd_initrc_exec_t;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9c10af7..446580a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 71%{?dist}
+Release: 72%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -318,6 +318,7 @@ Conflicts: audispd-plugins <= 1.7.7-1
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Obsoletes: cachefilesd-selinux <= 0.10-1
Conflicts: seedit
+Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
%description targeted
SELinux Reference policy targeted base module.
@@ -469,6 +470,11 @@ exit 0
%endif
%changelog
+* Mon Nov 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-72
+- Allow mysqld-safe to send system log messages
+- Add dirsrv and dirsrv-admin policy
+- Allow nagios plugins to read usr files
+
* Fri Nov 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-71
- Add label for libvideo_filter_wrapper_plugin.so
- Fixes for corosync policy
More information about the scm-commits
mailing list